XG v18 SSL/TLS inspection interfering with Veeam Cloud Provider Replication

Question

Hey everyone, 
 we're using Veeam and replicate backups from remote sites to our main site. Since deploying v18, we started having issues with the replication failing. After working with Veeam Support, the solution was to completely disable SSL/TLS inspection on the firewall at the main site. Not sure why it's causing issues, but at this point, I can't turn inspection on because the backup replication will fail. How can this be resolved? We're not even decrypting, and I don't think there's a way to turn off inspection for specific connections. 
 The issue seems to exist only from one site that is also running XG v18. The other ones on v17.5.9 are fine, even with inspection turned on at the replication target site - very strange. 
 How to troubleshoot and fix this? 
 Anyone else having this issue? 
 Thanks!

Michael Dunn · Accepted Answer

MichaelBolton said: 
 The DPI engine is always looking and inspecting at traffic, even if you don't want it to. It is a very poor implementation IMHO. 
 
 Actually the "DPI engine" has always looked at all traffic since XG's very beginning. 
 What is new in XG v18 is that the DPI engine is doing more than it used to. 
 - detecting HTTP traffic on any port 
 - detecting TLS on any port 
 - enforcing TLS policy on any port 
 - potentially decrypting TLS 
 - enforcing Web policy on HTTP and HTTPS on any port (not just 80/443) 
 When the XG is detecting HTTP and TLS on any port and enforcing TLS policy on any port it is slower. When it is offloading connections (fastpath), decrypting TLS and enforcing using the DPI engine it is significantly faster. The speed improvements that are made more than make up for the areas where speed is reduced. In affect we are doing more (which slows things down) but we are doing it faster (which speeds things up) resulting in a net faster speed. 
 
 MichaelBolton said: 
 So, you can disable the DPI completely and continue to use the Proxy or wait until Sophos get's a clue and realizes they need to make a change. 
 
 Clue received and GA Soft Release 2 contains a switch that disables TLS enforcement unless the firewall rule contains a web policy. Please see this post: 
 https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-v18-ga_2d00_build339-is-now-available 
 One of the side effects of this is that customers who upgrade (and therefore TLS inspection is Off) or who turn it Off should get similar performance between 17.5 and 18.0. 
 Customers who configure their boxes to take advantage of v18.0 DPI mode and fastpath should see much greater performance. 
 MichaelBolton said: 
 Many issues have come up because of their decisions. Hopefully they change their awful approach to DPI. 
 
 Many issues are fixed in GA, GA SR2, and will be fixed in MR1. Our approach is to fix issues in DPI, not bypass DPI. 
 MichaelBolton said: 
 What most don't realize is that XG cannot meet stated performance metrics because of how Sophos chose to implement DPI. I questioned the performance of XG because of the change but, did not get a response. The XG cannot meet the performance metrics they quote in the current V18 config. As an example, Sophos states 16,000 mbps for the XG210. It cannot come close to that on v18 because the DPI engine is looking at all traffic. 
 
 I agree that performance metrics are hard to state because lab test environment don't match real world conditions. In reality in my personal opinion, published metrics (of any vendor/product) are most useful for comparing two models, not for seeing the real world usage. I would stand behind whatever the Sophos published metrics are for comparing 17.5 and 18.0 for correctly configured systems. In other words if Sophos says model xyz does 1,000 foobar in 17.5 and 1,200 foobar in 18.0 I believe that v18.0 will be 20% faster in foobar. 
 Whether you believe that the foobar numbers are achievable or not based on your understanding of DPI is immaterial. Internal and independent testing is proving otherwise. 
 MichaelBolton said: 
 If this is production, I would downgrade back to v17.5 if I were you.

I would restate. If you love to play with the latest and greatest of any product, install the latest of any product. If you need safety and stability in your products, delay before any major upgrades. That advice goes for any product of any vendor.

XG v18 SSL/TLS inspection interfering with Veeam Cloud Provider Replication

Top Replies